b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Improvements Are Needed to Ensure\n                     Successful Development and System\n                  Integration for the Return Review Program\n\n\n\n                                           July 26, 2013\n\n                              Reference Number: 2013-20-063\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                    HIGHLIGHTS\n\n\nIMPROVEMENTS ARE NEEDED TO                             integrated successfully. However, RRP\nENSURE SUCCESSFUL DEVELOPMENT                          Prototype Management Plans, critical systems\nAND SYSTEM INTEGRATION FOR THE                         development products, were not completed or\nRETURN REVIEW PROGRAM                                  approved by major stakeholders before\n                                                       significant resources were committed.\n                                                       Uncertainty about the systems development\nHighlights                                             path for the RRP and the absence of Enterprise\n                                                       Life Cycle guidance for prototypes hindered\n                                                       initial systems development efforts. Further,\nFinal Report issued on July 26, 2013                   alternative commercial software products were\n                                                       not fully considered prior to selecting technology\nHighlights of Reference Number: 2013-20-063            solutions for the RRP system.\nto the Internal Revenue Service Chief\nTechnology Officer.                                    WHAT TIGTA RECOMMENDED\nIMPACT ON TAXPAYERS                                    TIGTA recommended that the Chief Technology\n                                                       Officer: 1) establish appropriate program-level\nBased on the fraud it currently detects, the IRS       governance with enterprisewide authority for the\nestimates that tax refund fraud is more than           RRP; 2) clearly document the RRP systems\n$19.2 billion per fiscal year. The IRS is              integrator roles and responsibilities; 3) complete\ndeveloping a new Return Review Program                 the RRP Prototype Management Plans, clarify\n(RRP) system to implement the IRS\xe2\x80\x99s new                how to measure prototype success, map\nbusiness model for a coordinated criminal and          prototype activities to requirements, incorporate\ncivil tax noncompliance system. Once                   lessons learned, and obtain approval from\ndeveloped and implemented, the new system              governance bodies; 4) document, for approval\nwill significantly enhance the IRS\xe2\x80\x99s capabilities      by RRP governance bodies, the decided\nto prevent, detect, and resolve tax refund fraud,      systems development path; 5) establish\nincluding identity theft.                              sufficient Enterprise Life Cycle guidance for\nWHY TIGTA DID THE AUDIT                                prototypes; and 6) take appropriate steps to\n                                                       ensure that change requests include alternative\nThe IRS\xe2\x80\x99s current system to detect fraud is the        analyses and impact assessments and also\nElectronic Fraud Detection System (EFDS). The          establish and implement Enterprise Architecture\nIRS determined that the EFDS, which was                guidelines for evaluating later versions of tested\nimplemented in 1994, is outdated and would be          commercial products.\ninefficient to maintain, upgrade, or operate\nbeyond Calendar Year 2015. Successful                  In its response, the IRS agreed with our\nimplementation of the new RRP system would             recommendations and reports that it has\nincrease the dollar amount of fraudulent tax           implemented two corrective actions. The IRS\nrefunds identified annually. TIGTA\xe2\x80\x99s overall           established two new enterprisewide governance\naudit objective was to determine whether the           entities to oversee the RRP, and it updated its\nIRS\xe2\x80\x99s Information Technology Applications              RRP Prototype Management Plans and\nDevelopment organization was adequately                individual RRP Prototype Reports for\nmanaging RRP Transition State 1 systems                performance measures criteria and relevant\ndevelopment risks to achieve stated business           functional and performance requirements. In\nand information technology requirements.               addition, the IRS plans to document system\n                                                       integrator roles and responsibilities in the RRP\nWHAT TIGTA FOUND                                       Project Management Plan and to document the\n                                                       approved RRP systems development path. The\nRoles for program-level governance were not            IRS also plans to update the Internal Revenue\nyet established for the RRP and the key role of        Manual with prototype guidance and to develop\nsystem integrator was not documented or clearly        a process for analyzing and processing\ncommunicated. From January to December                 Enterprise Architecture Change Requests in a\n2012, prototype activities were conducted to           standard, repeatable process.\nvalidate that technology product solutions\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            July 26, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Improvements Are Needed to Ensure Successful\n                             Development and System Integration for the Return Review Program\n                             (Audit # 201220011)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) efforts on\n developing the new system for replacing the fraud detection system. The overall objective of\n this review was to determine whether the IRS is effectively and efficiently implementing its\n continuous monitoring tool to monitor security settings on employee workstations and laptop\n computers. This audit is included in the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of\n Modernization.\n Management\xe2\x80\x99s written response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                       Improvements Are Needed to Ensure Successful Development\n                          and System Integration for the Return Review Program\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Roles for Program-Level Governance Were Not Yet\n          Established and Clarification Is Needed for the Key Role\n          of System Integrator ...................................................................................... Page 4\n                    Recommendation 1:........................................................ Page 5\n\n                    Recommendation 2:........................................................ Page 6\n\n          Return Review Program Prototype Management Plans\n          Were Not Completed or Approved by Major Stakeholders.......................... Page 6\n                    Recommendation 3:........................................................ Page 9\n\n          Uncertainty About the Systems Development Path for\n          the Return Review Program and the Absence of\n          Enterprise Life Cycle Guidance for Prototypes Hindered\n          Initial Systems Development Efforts ............................................................ Page 10\n                    Recommendations 4 and 5: .............................................. Page 12\n\n          Alternative Commercial Software Products Were Not Fully\n          Considered Prior to Selecting Technology Product\n          Solutions for the Return Review Program .................................................... Page 12\n                    Recommendation 6:........................................................ Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Timeline \xe2\x80\x93 Return Review Program Project Events ............ Page 20\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 21\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 23\n\x0c       Improvements Are Needed to Ensure Successful Development\n          and System Integration for the Return Review Program\n\n\n\n\n                      Abbreviations\n\nCTO            Chief Technology Officer\nEFDS           Electronic Fraud Detection System\nELC            Enterprise Life Cycle\nIBM            International Business Machines\nIRS            Internal Revenue Service\nIT             Information Technology\nRRP            Return Review Program\nSAS            Statistical Analysis System\nTS             Transition State\n\x0c                      Improvements Are Needed to Ensure Successful Development\n                         and System Integration for the Return Review Program\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service\xe2\x80\x99s (IRS) current fraud detection system is the Electronic Fraud\nDetection System (EFDS).1 The IRS has determined that numerous inefficiencies and\noperational challenges render the EFDS, implemented in Calendar Year 1994, too risky to\nmaintain, upgrade, or operate beyond Calendar Year 2015. The IRS reports that the long-term\nlimitations of the EFDS include its inability to keep pace with increasing levels of fraud or to\nserve the organization\xe2\x80\x99s evolving compliance needs.\nIn February 2009, the IRS Commissioner approved a\nprogram charter authorizing the formation of the Return        The RRP system will implement\nReview Program (RRP) under joint leadership provided            the IRS\xe2\x80\x99s new business model\nby the Wage and Investment Division and Criminal                for a coordinated criminal and\nInvestigation. The Wage and Investment Division is            civil tax noncompliance approach\nresponsible for RRP requirements development, risk              to  prevent, detect, and resolve\n                                                                tax refund fraud, estimated by\nmanagement, governance, project management, and                      the IRS to be more than\ndeployment support. Criminal Investigation is                     $19.2 billion per fiscal year.\nresponsible for supporting the RRP by identifying and\ndeveloping schemes to refer and support high-impact\ncriminal tax and related financial investigations. In September 2010, the Applications\nDevelopment organization awarded a cost-plus-incentive-fee contract to International Business\nMachines (IBM) for leading RRP prototyping activities.\nA successful RRP system is critical to the IRS mission. It will be the key automated component\nof the IRS\xe2\x80\x99s prerefund initiative. The RRP system will implement the IRS\xe2\x80\x99s new business model\nfor a coordinated criminal and civil tax noncompliance approach to prevent, detect, and resolve\ntax refund fraud. Based on fraud detected by the EFDS and supplemented by manual detection\nmethods, the IRS estimates that tax refund fraud is more than $19.2 billion per fiscal year.\nSuccessful implementation of the new RRP system would increase the dollar amount of\nfraudulent tax refunds identified annually. Figure 1 shows that the RRP system will use new\ndata analytics techniques to determine and identify possible noncompliance and fraud.\n\n\n\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                            Page 1\n\x0c                   Improvements Are Needed to Ensure Successful Development\n                      and System Integration for the Return Review Program\n\n\n\n                                  Figure 1: RRP Solution Concept\n\n\n\n\n    Source: IRS-developed document \xe2\x80\x9cRRP Technical Overview,\xe2\x80\x9d dated September 14, 2011.\n\nIn August 2011, the Wage and Investment Division and the Applications Development\norganization redirected RRP systems development efforts to include new technology product\nsolutions and to incorporate Patient Protection and Affordable Care Act (Affordable Care Act)2\nfunctionality into the planned scope for the system. Benefits of the RRP system include:\n    \xef\x82\xb7   Reducing the fraudulent refund claims paid by the IRS.\n    \xef\x82\xb7   Establishing capabilities to coordinate detection and resolution of criminal and civil\n        noncompliance issues.\n\n\n2\n Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered section of the U.S. Code), as amended\nby the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n                                                                                                          Page 2\n\x0c                 Improvements Are Needed to Ensure Successful Development\n                    and System Integration for the Return Review Program\n\n\n\n   \xef\x82\xb7   Preventing criminal and civil noncompliance issues.\n   \xef\x82\xb7   Promoting increased taxpayer compliance through targeted educational information and\n       deterrent activities.\n   \xef\x82\xb7   Creating more effective and innovative resolutions through research and analysis of both\n       real-time trends and long-term studies.\n   \xef\x82\xb7   Handling mandatory legislation changes and significant programs (e.g., Affordable Care\n       Act, Customer Account Data Engine 2), new tax credits, and ongoing prerefund and other\n       noncompliance initiatives such as prisoner, identity theft, frivolous filer, tax return\n       redesign (such as Form 1040, U.S. Individual Income Tax Return), and decedent\n       schemes.\nThis review was performed at the IRS Information Technology (IT) organization\xe2\x80\x99s facilities in\nNew Carrollton, Maryland, during the period May through October 2012. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                 Improvements Are Needed to Ensure Successful Development\n                    and System Integration for the Return Review Program\n\n\n\n\n                                Results of Review\n\nRoles for Program-Level Governance Were Not Yet Established and\nClarification Is Needed for the Key Role of System Integrator\nIn February 2008, the IRS established the Criminal Investigation Executive Steering Committee\nas the governance body to oversee Criminal Investigation systems development projects. The\nCriminal Investigation Executive Steering Committee held monthly governance meetings to\ndiscuss RRP topics, approve decisions affecting the RRP, and ensure that the RRP system\nsatisfied milestone exit requirements. However, the Criminal Investigation Executive Steering\nCommittee does not have the authority to govern enterprisewide and program-level activities\npertaining to tax fraud detection, resolution, and prevention, which directly affect RRP systems\ndevelopment. More specifically, it does not have the authority to ensure that fraud programs stay\naligned with the IRS Strategic Plan, resolve enterprisewide issues for fraud programs and\nprojects, and ensure that RRP objectives are met.\nDuring our audit, the IRS took initial steps, including drafting a proposal, to establish a new\nexecutive governance body to oversee both RRP and EFDS fraud initiatives. IRS management\nrecognizes that a change in governance is needed to provide more accountability and assurance\nof success for systems development of the RRP system. However, the necessary governance\ncharter and plan were still undergoing review across IRS business units at the time of our review.\nWe recognize that the IRS has taken appropriate management action by reconsidering the initial\ngovernance structures established for the RRP. However, during our review, roles for\nprogram-level governance, including an RRP Program Management Office, were not\nestablished, and it was not clear how the IRS will govern the systems development process for\nthis mission-critical system, resolve enterprisewide issues for fraud projects and programs, and\nresolve escalated disputes and issues from fraud projects and programs. Suitable responsibilities\nfor this program-level governance body include:\n   \xef\x82\xb7   Establishing organizational commitments that enable fraud-related programs and projects\n       to achieve their program goals.\n   \xef\x82\xb7   Promoting efficient and effective communication and coordination among all\n       fraud-related programs and projects.\n   \xef\x82\xb7   Managing decisions across fraud-related programs and projects.\n   \xef\x82\xb7   Facilitating decisionmaking, governance, and systems development processes across the\n       RRP.\n\n                                                                                           Page 4\n\x0c                 Improvements Are Needed to Ensure Successful Development\n                    and System Integration for the Return Review Program\n\n\n\n   \xef\x82\xb7   Implementing program-level management plans and systems development processes\n       across the RRP.\nFurther, roles and responsibilities for integrating the various components of the RRP system\nduring its initial development activities were not well established or clearly communicated as\nneeded. A systems integrator is a person or company that specializes in bringing together\ncomponent subsystems into a whole and ensuring that those subsystems function together as\nintended. Systems integrator roles and responsibilities often involve managing scope, schedule,\nstaffing, risks, configuration management, testing, procurement, performance, reporting, and\nrelease management. The IRS officials we met with indicated that the Applications\nDevelopment organization was the systems integrator for the RRP system. However, neither the\nSeptember 2012 Project Management Plan for RRP Transition States (TS) 1 through 4 nor the\nJune 2011 RRP TS1 Tailoring Plan stipulated organizational roles and responsibilities for\nintegrating the various component subsystems that must work together for a successful RRP\nsystem.\nFurther, the IRS September 2010 contract with IBM does not specify or delineate key systems\nintegrator roles and responsibilities. The contract simply states, \xe2\x80\x9cThe contractor shall lead the\ndevelopment efforts and coordinate the stand-up of the physical components of the RRP\nenvironment.\xe2\x80\x9d As a result, specific systems integrator roles and responsibilities for the\ndevelopment of this mission-critical system have not been clearly established. Without clearly\ndefined systems integrator roles and responsibilities, there is limited assurance that they will be\nunderstood, performed, successfully completed, or appropriately monitored. Accordingly, there\nis limited assurance that RRP systems development activities will achieve expected benefits or\nmeet time-sensitive business and information technology requirements for addressing the IRS\xe2\x80\x99s\nevolving tax refund fraud risks.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer (CTO) should establish appropriate\nprogram-level governance with enterprisewide authority for meeting RRP objectives, managing\nprogram risks, and ensuring that the expenditure of enterprise resources is fiscally sound.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The RRP\n       was originally governed by the Criminal Investigation Executive Steering Committee.\n       To provide enterprisewide governance of revenue protection initiatives, the Revenue\n       Protection Technology Governance Board and Executive Steering Committee are two\n       new governance entities that were established and approved by the Information\n       Technology Enterprise Governance Committee on November 29, 2012.\n\n\n\n\n                                                                                             Page 5\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\nRecommendation 2: The CTO should clearly document and communicate RRP systems\nintegrator roles and responsibilities.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The system\n       integrator roles and responsibilities will be documented in the Project Management Plan.\n\nReturn Review Program Prototype Management Plans Were Not\nCompleted or Approved by Major Stakeholders\nThe IRS plans to deliver the RRP system incrementally through four TSs as indicated below.\n   \xef\x82\xb7   RRP TS1 involves prototyping the successful end-to-end integration of the RRP\n       technology product solutions. Prototyping will provide confidence that the RRP TS1\n       architecture, preliminary design, and new technology products will meet the RRP TS1\n       functional and performance requirements. The RRP TS1 system will deliver the offline\n       prevention environment, the integrated data warehouse, the initial data load (three years\n       of history), an ongoing data integration capability, and the ability for business users to\n       perform ad hoc manual queries to identify potential schemes. The scheduled release date\n       for RRP TS1 is January 2014.\n   \xef\x82\xb7   RRP TS2 involves delivering the full RRP system capability for individual taxpayer\n       returns, including offline prevention, inline detection, and systemic verification of\n       third-party data, the integrated data warehouse, and the user interface using the Employee\n       User Portal. The RRP system will replace the current EFDS. RRP TS2 will also\n       incorporate the functionality of the Affordable Care Act that becomes effective in\n       Calendar Year 2014. The IRS plans for the RRP to be available to process Processing\n       Year 2014 Affordable Care Act tax returns filed January 2015. The scheduled release\n       date for RRP TS2 is January 2015.\n   \xef\x82\xb7   RRP TS3 involves delivering the full RRP system capability for processing Business\n       Master File returns. The IRS has not yet determined the scheduled release date for\n       RRP TS3.\n   \xef\x82\xb7   RRP TS4 will enhance existing functionality and provide additional interfaces to internal\n       and external stakeholders. The IRS has not yet determined the scheduled release date for\n       RRP TS4.\nIn June 2009, the Wage and Investment Division submitted the initial budget request for the RRP\nthrough the Exhibit 300 budget submission process. Exhibit 300 depicts a required business case\nfor a proposed investment, including expected benefits, costs, and risks for the budget proposal.\nIn May 2012, the Wage and Investment Division and the Applications Development organization\nsubmitted a baseline change request to incorporate new technology products, add the Affordable\nCare Act requirements into the new system\xe2\x80\x99s scope, and reflect these changes in the RRP\xe2\x80\x99s cost,\nschedule, and performance goals. In September 2012, the Department of the Treasury approved\n                                                                                          Page 6\n\x0c                       Improvements Are Needed to Ensure Successful Development\n                          and System Integration for the Return Review Program\n\n\n\nthe RRP\xe2\x80\x99s revised funding request for $147 million, which included a total of $89 million for\nTS1 prototyping activities and hardware and software for the RRP solution.\nIn September 2010, the Applications Development organization awarded a cost-plus-\nincentive-fee contract to IBM for leading prototyping activities for RRP TS1. According to the\ncontract, \xe2\x80\x9cthe contractor\xe2\x80\x99s primary tasks will include: developing the milestone\ndeliverables/work products, providing technical leadership for predictive analytics, business\nrules, architecture development, physical design, prototype architecture, and subject matter\nexperts during the detailed design phase for the RRP TS1 system.\xe2\x80\x9d As part of the RRP systems\ndevelopment process, IRS prototyping activities were scheduled to occur during the period\nJanuary to December 2012. The purpose of the prototyping activities is to successfully integrate\nthe technology product solutions selected for the RRP, assess their performance, and provide\nconfidence that the RRP TS1 architecture and preliminary design will meet the RRP TS1\nfunctional and performance requirements. The Applications Development organization had\nestablished prototype teams and responsibilities for the data, analytics, business rules, Java,\nreports, and infrastructure teams.\nDuring our review, the prototype projects were in various stages of completion, and prototype\nproject results were not yet available for our review. Figure 2 describes the prototypes included\nin RRP TS1 systems development efforts and identifies the prototype tasks, the products to be\nprototyped and integrated, and a description of each prototype.\n                              Figure 2: Description of RRP TS1 Prototypes\n\n         Prototyping Task                Products                                Task Description\n\n    1.   Implement the Physical     Greenplum              Convert the logical data model to the physical data model.\n         Data Model for the RRP                            Resolve performance issues in the logical data model. Create\n         Database                                          the physical RRP database.\n    2.   Develop Predictive         Statistical Analysis   Start developing predictive models for income and\n         Models                     System (SAS)           withholding, identity theft, and frivolous filer anomaly areas.\n    3.   Integrate Enterprise       Informatica            Extract and transform data from other IRS data sources and\n         Informatica Platform                              load data into the RRP database. Explore design issues\n                                    Greenplum\n         With the RRP Database3                            regarding data transfer over wide-area network between IRS\n                                                           Enterprise Computing Centers.\n    4.   Integrate Tools to Track   ClearCase              Facilitate team software development and setup and integrate\n         and Control Software                              software change management and rule management tools.\n                                    Blaze Advisor\n         Changes\n\n\n\n\n3\n Informatica is an enterprisewide tool used by the IRS for extracting data from existing systems and loading into\nnew repositories.\n                                                                                                               Page 7\n\x0c                     Improvements Are Needed to Ensure Successful Development\n                        and System Integration for the Return Review Program\n\n\n\n\n      Prototyping Task                Products                          Task Description\n\n 5.   Develop End-to-End       Informatica         Develop an end-to-end prototype application that flows from\n      Application Flow                             the Enterprise Informatica Platform to the RRP database, then\n                               Java\n                                                   to batch processing that executes Java code business rules and\n                               Springbatch         predictive models and saves those screening results to the RRP\n                                                   database, and then to the desktop where users can query the\n                               Blaze Advisor SAS   results.\n                               Greenplum\n                               Business Objects\n 6.   Execute SAS As           SAS                 Publish and execute predictive models using SAS in-database\n      In-Database Analytics                        screening. Assess system performance.\n                               Greenplum\n      Against the RRP\n      Database\n 7.   Assess                   Informatica         Assess the performance of the end-to-end application.\n      Day-in-a-Day\n                               Java\n      Performance\n                               Springbatch\n                               Blaze Advisor\n                               SAS\n                               Greenplum\n                               Business Objects\n 8.   Use SAS Social Network   SAS                 Explore the usage of SAS social network analysis in linked\n      Analysis                                     return analysis. Assess system performance.\n 9.   Integrate Rule           Blaze Advisor       Develop rule management application and deploy web\n      Management                                   application.\n      Application With Web\n      Application\n 10. Integrate Desktop         Business Objects    Develop prototype reports and ad hoc queries.\n     Reporting With the RRP\n                               Greenplum\n     Database\nSource: RRP TS1 MS4A Prototyping Approach and Strategy.\n\nThe purpose of the RRP Prototype Management Plans is to manage the development, execution,\nand evaluation of these 10 RRP prototype projects. However, only draft versions of the RRP\nPrototype Management Plans were completed as of July 2012. Major RRP stakeholders did not\napprove these critical systems development life cycle documents before significant resources\nwere committed to the RRP prototype activities.\n\n\n\n\n                                                                                                     Page 8\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\nFurther, our review of the Draft RRP Prototype Management Plans found that the plans did not:\n   \xef\x82\xb7   Include criteria for measuring the success of the RRP prototypes.\n   \xef\x82\xb7   Map prototype activities back to RRP TS1 functional and performance requirements.\n   \xef\x82\xb7   Consider or incorporate lessons learned during other prototypes, such as:\n       o Each prototype team must define the detailed expected outcome of the prototype.\n       o Prototype teams need a technical lead assigned to the team.\n       o The technical lead needs to have a strong technical applications development\n         background and skills relevant to the platform and products being prototyped.\n       o The prototype time period should allow for analysis and design.\nSenior Applications Development organization project management personnel review and\napprove key deliverable documents, like the RRP Prototype Management Plans. The lack of\ncomplete and approved RRP Prototype Management Plans could contribute to inefficiencies in\nthe RRP systems development process, increase project risks and cost overruns, and introduce\nschedule delays.\nDuring our review, we also considered results from a March 2012 internal evaluation of the\nApplications Development organization\xe2\x80\x99s systems development processes. This internal\nevaluation concluded that a weakness existed in the Applications Development organization\xe2\x80\x99s\nproject planning activities. More specifically, the evaluation team concluded that it was not\nevident that all projects were conducting sufficient planning activities by including\nproject planning activities in their project schedules and holding project-planning meetings.\n\nRecommendation\nRecommendation 3: The CTO should ensure that RRP Prototype Management Plans:\n   \xef\x82\xb7   Clarify how to measure the success of the RRP TS1 prototypes.\n   \xef\x82\xb7   Map back to and address key RRP TS1 functional and performance requirements.\n   \xef\x82\xb7   Incorporate IRS prototype lessons learned.\n   \xef\x82\xb7   Are properly approved by RRP stakeholders.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. RRP TS1\n       prototype success criteria and measures are outlined in TS1 Architecture Prototype\n       reports and other documentation on the RRP SharePoint site. The RRP TS1 Milestone 4a\n       Prototyping Approach and Strategy document describes the tasks to achieve the expected\n       prototype results and performance goals. The strategy document outlines how the\n\n                                                                                         Page 9\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\n       RRP TS1 architecture and preliminary design, combined with the prototype using the\n       new technology stack, will meet the RRP TS 1 functional requirements and performance\n       requirements. By April 26, 2013, technical documentation, including the Prototype\n       Management Plan, was provided to RRP stakeholders and management for review and\n       concurrence. Prototype development status and results were communicated to project\n       stakeholders.\n\nUncertainty About the Systems Development Path for the Return\nReview Program and the Absence of Enterprise Life Cycle Guidance\nfor Prototypes Hindered Initial Systems Development Efforts\nThe IRS applies its Enterprise Life Cycle (ELC) framework to manage and implement business\nchange through information systems initiatives. The ELC provides the direction, processes,\ntools, and assets necessary to accomplish business change through software development in a\nconsistent and repeatable manner. The objectives of the ELC process are to:\n   \xef\x82\xb7   Enhance chances for successfully achieving the desired business change.\n   \xef\x82\xb7   Standardize the approach for managing and governing business change and supporting\n       information system projects throughout the IRS.\n   \xef\x82\xb7   Help ensure project success by reducing risk and ensuring compliance with applicable\n       internal and external standards.\nTo achieve these objectives, the ELC supports multiple software development approaches called\npaths. A path is a unique technical or systems engineering approach to accomplish new systems\ndevelopment. The ELC recognizes five paths for new development projects, covering all phases\nof development from project initiation through system deployment. Projects are required to\nselect one or more paths that provide the best fit for their project solution. The ELC paths\ninclude Waterfall, Commercial Off-the-Shelf, Iterative, Joint Application Design, or Rapid\nApplication Development, and Maintenance.\nThe Waterfall path requires sequential development of a solution with required reviews and\nformal approvals before continuing work. These reviews occur within each of the six ELC\nphases, and approvals must occur at the end of each phase in order to allow project work to\ncontinue in the subsequent phase. The following are characteristics of a Waterfall development\npath approach: sequential development, evolving teams, formal documentation, and formal\napprovals. The Iterative path is an adaptive development approach in which projects start with\ninitial planning and end with deployment, with repeated cycles of requirement discovery,\ndevelopment, and testing in between. Iterative development path is fundamentally different from\nsequential development path approaches, such as Waterfall.\n\n\n\n                                                                                       Page 10\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\nBased on our review of RRP project documents and discussions with Applications Development\norganization personnel, the RRP project is using the Waterfall development path. However, the\nCriminal Investigation Executive Steering Committee approved the RRP project to use an\nIterative development path methodology. The chronological list of events are:\n   \xef\x82\xb7   In October 2010, the ELC Coach advised the Applications Development organization\n       against following an Iterative development path because the RRP did not meet the\n       necessary requirements for following an Iterative development path.\n   \xef\x82\xb7   In November 2010, the RRP project team requested and the Criminal Investigation\n       Executive Steering Committee approved the RRP to use an Iterative development path.\n   \xef\x82\xb7   In May 2011, the Criminal Investigation Executive Steering Committee approved for the\n       RRP project to combine Milestones 3 (Preliminary Design), 4a (Detailed Design), and 4b\n       (Development), which the ELC describes as typical of an Iterative development path.\n   \xef\x82\xb7   In June 2011, the RRP TS1 Project Tailoring Plan indicated that the RRP project was\n       following the Waterfall development path.\n   \xef\x82\xb7   In February 2012, the Applications Development organization indicated that the RRP\n       project was following the Waterfall development path.\n   \xef\x82\xb7   In March 2012, the RRP TS1 Project Plan indicated that the RRP project was following\n       the Waterfall development path.\nThis chronology of events indicates uncertainty between the Applications Development\norganization\xe2\x80\x99s RRP project team and its governance body regarding which development path the\nRRP project is using and which systems development deliverable documents the RRP project\ncan be held accountable to produce. Project management risks exist that the RRP project team is\nnot using the development path that the Criminal Investigation Executive Steering Committee\nintended. Further, the RRP project team may not be using the development path that the\nApplications Development organization identified as best suited for the RRP system.\nOur review also noted that while the IRS ELC describes the Waterfall development path, there is\nno ELC guidance for prototyping technology products during systems development following\nthe Waterfall development path. Absent prototyping guidance, there is limited assurance that\nRRP prototyping activities were carried out in accordance with management\xe2\x80\x99s intentions. Based\non our review of the RRP systems development, we believe that guidance regarding prototyping\nproducts planned and completed within the Waterfall development path is needed to address\nrisks areas including:\n   \xef\x82\xb7   Complying with Enterprise Architecture processes for adding technology product\n       solutions to the IRS\xe2\x80\x99s information technology environment.\n   \xef\x82\xb7   Leasing versus purchasing hardware.\n\n                                                                                        Page 11\n\x0c                    Improvements Are Needed to Ensure Successful Development\n                       and System Integration for the Return Review Program\n\n\n\n    \xef\x82\xb7   Licensing software or requesting evaluation copies of software.\n    \xef\x82\xb7   Acquiring and disposing of prototype assets, for both success and failure conditions.\n\nRecommendations\nRecommendation 4: The CTO should document for approval by established RRP\ngovernance bodies the decided RRP systems development path.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. RRP will\n        request formal approval and decision documentation to follow the Waterfall systems\n        development path from the newly established governance body, the Revenue Protection\n        Technology Executive Steering Committee, based on the previous approval obtained\n        from the Criminal Investigation Executive Steering Committee.\nRecommendation 5: The CTO should ensure that the IRS IT organization establishes\nsufficient ELC guidance for managing prototype efforts during systems development.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The ELC\n        office will update Internal Revenue Manual 2.16.1 to incorporate additional guidance for\n        prototype, pilot, and proof-of-concept efforts. The guidance will be captured in one\n        particular section within the Internal Revenue Manual instead of multiple sections.\n\nAlternative Commercial Software Products Were Not Fully Considered\nPrior to Selecting Technology Product Solutions for the Return\nReview Program\nThe IRS IT Enterprise Architecture organization maintains an approved software products list\nreferred to as the Enterprise Standards Profile.4 The Enterprise Architecture organization\xe2\x80\x99s\nchange request process is intended to ensure that the IRS IT Enterprise Architecture organization\nreviews and approves all new technology products added to the IRS computing environment.\nAdding a product to the Enterprise Standards Profile requires the Applications Development\norganization to complete a change request, including alternative product analyses and impact\nassessments. We reviewed five change requests related to the RRP system and identified the\nfollowing inconsistencies in two of the five change requests:\n    \xef\x82\xb7   One change request did not include an alternative analysis (Java).\n    \xef\x82\xb7   One change request was missing an impact assessment, although the change request\n        stated that the change affected an organization (Red Hat Linux).\n\n\n4\n Internal Revenue Manual 2.15.1.3.5.1 (Aug. 1, 2003) pertains to the Enterprise Standards Profile and identifies\napproved products and guidelines applicable to the IRS\xe2\x80\x99s target architecture.\n                                                                                                           Page 12\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\n   \xef\x82\xb7   The Enterprise Architecture organization did not require an alternative analysis or impact\n       assessment for a later version of a product that was already on the Enterprise Standards\n       Profile (Red Hat Linux).\nFigure 3 lists the hardware and software products approved by the CTO in August 2011 for the\nRRP TS1\xe2\x80\x93TS4. It also shows the Enterprise Architecture organization\xe2\x80\x99s approval status of the\nrespective products.\n    Figure 3: RRP Technology Hardware/Software Products Being Prototyped\n\n                                                                     Enterprise\n   Product                                                           Standards\n   Function            Type                   Product               Profile Status      Developer\n\n Server        x86 Servers          Hewlett-Packard ProLiant      Approved           Hewlett-Packard\n Hardware\n Operating     Linux                Red Hat                       Approved           Red Hat\n System                             Enterprise Linux                                 Corporation\n\n Database      Massively Parallel   Greenplum                     Approved           EMC Corporation\n               Processing\n Program       Java Virtual         Java                          Approved           Oracle\n Language      Machine                                                               Corporation\n\n Data Mining   Predictive           SAS Fraud Framework (SAS      In Process         SAS Institute\n Tools         Modeling and         Enterprise CASE Management\n               Linked Return        SAS Enterprise Guide\n               Analysis\n                                    SAS Enterprise Miner\n                                    SAS Grid Manager\n                                    SAS Forecast Server\n                                    SAS Enterprise Business\n                                    Intelligence Server\n                                    SAS Social Network Analysis\n                                    SAS Model Manager\n                                    SAS Text Miner\n                                    Scoring Accelerator for\n                                    Greenplum Access to Oracle)\n Java          Java 2 Platform      JavaBeans Open Source         Approved           Red Hat\n Application   Enterprise Edition   Software Application Server                      Corporation\n Server                             and Development\n                                    Environment\n\n\n\n\n                                                                                            Page 13\n\x0c                   Improvements Are Needed to Ensure Successful Development\n                      and System Integration for the Return Review Program\n\n\n\n\n                                                                            Enterprise\n   Product                                                                  Standards\n   Function              Type                     Product                  Profile Status           Developer\n\n Batch            Spring Batch          Spring Framework (Spring         The Cybersecurity      EMC Corporation\n Processing                             Batch Component) adds            organization\n                                        utilities to JavaBeans Open      disapproved the\n                                        Source Software                  change request;\n                                                                         however, the Change\n                                                                         Control Board\n                                                                         accepted the security\n                                                                         risks and approved the\n                                                                         request.\n Business         Business Rules        Fair Isaac Corporation Blaze     Approved                Fair Isaac\n Rules            Management            Advisor Builder                                          Corporation\n                  System for            Decision Simulator\n                  Predictive\n                  Analytics\n Extract,         The Enterprise        Enterprise Informatica           Approved                Informatica\n Transform,       Informatica           Platform                                                 Corporation\n and Load         Platform is a tool\n                  to extract,\n                  transform, and load\n                  data from existing\n                  data sources to\n                  application\n                  databases\n Reports          Web-enabled ad        Business Objects                 Approved                System Analysis\n                  hoc query and data                                                             and Program\n                  reporting tool                                                                 Development\nSource: Obtained from the IRS Enterprise Architecture organization\xe2\x80\x99s Enterprise Standards Profile database as of\nMay 2012.\n\nAgain, we considered the Applications Development organization\xe2\x80\x99s March 2012 internal\nevaluation of its systems development processes. The evaluation team concluded that a\nweakness existed in the Applications Development organization\xe2\x80\x99s processes for evaluating\nalternative products. More specifically, the evaluation team concluded that it was not clear when\nalternative analyses were required and how the Applications Development organization should\nconduct the analyses. If alternative products are not fully considered as required with complete\nalternative analyses and impact assessments, the IRS risks buying software and building systems\nthat are duplicative, incompatible, insecure, and unnecessarily costly to integrate and maintain.\n\n\n\n\n                                                                                                        Page 14\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\nRecommendations\n\nRecommendation 6: The CTO should take appropriate steps to:\n   \xef\x82\xb7   Ensure that the RRP project team complies with existing guidance that requires change\n       requests to include alternative analyses.\n   \xef\x82\xb7   Ensure that the RRP project team complies with existing guidance that requires change\n       requests to include an impact assessment.\n   \xef\x82\xb7   Establish and implement Enterprise Architecture guidelines for evaluating later versions\n       of tested commercial products included in the Enterprise Standards Profile.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Enterprise Architecture organization\xe2\x80\x99s Standards and Technology Management Team\n       will develop a Data Item Description template for analyzing and processing Enterprise\n       Architecture Change Requests in a standard, repeatable process. In accordance with the\n       process, the Standards and Technology Management Team will evaluate all requests to\n       add or update products in the Enterprise Standards Profile.\n\n\n\n\n                                                                                        Page 15\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\nOur overall objective was to determine whether the IRS\xe2\x80\x99s IT Applications Development\norganization was adequately managing the RRP TS1 systems development risks to achieve stated\nbusiness and information technology requirements. To accomplish our objective, we:\nI.     Considered status of key milestones, criteria, and guidance relevant to the RRP TS1\n       systems development effort.\nII.    Evaluated how the Applications Development organization managed RRP project\n       management risks to achieve stated business and information technology requirements.\n       A. Systems Development Methodology. We asked what systems development\n          methodology the Applications Development organization was using.\n       B. Governance. We evaluated if the IRS IT organization had implemented sufficient\n          program-level governance for the RRP.\n       C. Alternative Solutions. We assessed how the Applications Development organization\n          considered alternative technology product solutions for the design of RRP TS1.\nIII.   Determined if the Applications Development organization was adequately managing\n       RRP TS1 prototype risks to achieve stated business and information technology\n       requirements.\n       A. Internal Revenue Manual Policy and Applicable Guidance. We assessed the\n          adequacy of existing IRS IT organization guidance regarding initiating and managing\n          prototype projects.\n       B. Prototype Plan. We assessed if the Applications Development organization had\n          completed the RRP Prototype Management Plans and obtained proper management\n          approval.\n       C. Enterprise Architecture. We reviewed the IRS IT organization\xe2\x80\x99s process for updating\n          the existing enterprise architecture for new systems development technology\n          products. We assessed if the Applications Development organization had followed\n          stated processes for the RRP.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\n\n                                                                                        Page 16\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the ELC and related IRS information\ntechnology guidelines and the processes followed in the development of information technology\nprojects. We evaluated these controls by reviewing the guidelines, conducting interviews and\nmeetings with management and staff, and reviewing project documents.\n\n\n\n\n                                                                                      Page 17\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwendolyn McGowan, Director, Systems Modernization and Applications Development\nCarol Taylor, Audit Manager\nCharlene Elliston, Lead Auditor\nAndrea Barnes, Senior Auditor\nCari Fogle, Senior Auditor\nSylvia Sloan-Copeland, Senior Auditor\nRobert Carpenter, Senior Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c               Improvements Are Needed to Ensure Successful Development\n                  and System Integration for the Return Review Program\n\n\n\n                                                                        Appendix III\n\n                        Report Distribution List\n\nPrincipal Deputy Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nOffice of the Deputy Commissioner for Services and Enforcement SE\nDeputy Commissioner for Operations Support OS\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer for Operations OS:CTO\nDirector, Privacy, Governmental Liaison and Disclosure OS:P\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Business Performance Solution, Wage and Investment Division SE:W:BMO:BPS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                               Page 19\n\x0c                Improvements Are Needed to Ensure Successful Development\n                   and System Integration for the Return Review Program\n\n\n\n                                                                               Appendix IV\n\n   Timeline \xe2\x80\x93 Return Review Program Project Events\n\nThis appendix provides a detailed timeline for specific RRP system events and milestones that\nwere considered during this review.\n\n\n\n\n                                                                                        Page 20\n\x0c                   Improvements Are Needed to Ensure Successful Development\n                      and System Integration for the Return Review Program\n\n\n\n\n                                                                                   Appendix V\n\n                                 Glossary of Terms\n\nTerm                Definition\n\nAlternative         Process of assessing different products.\nProduct\nAnalyses\n\nBusiness Case       Required by Office of Management and Budget Circular A-11 (Preparation,\n                    Execution, and Submission of the Budget, dated June 2005) and commonly\n                    called Exhibit 300, Capital Asset Plan and Business Case. Each agency must\n                    submit a Business Case twice a year for each major information technology\n                    investment.\n\nChange Request      The form for requesting approval to change a baselined product or other\n                    controlled item.\n\nCost-Plus-          A type of cost-plus contract in which the fee is based on either cost savings\nIncentive-Fee       or performance. It varies according to the level the contractor achieves in\n                    meeting such cost or performance criteria.\n\nElectronic Fraud    The primary information system used to support the IRS Criminal\nDetection           Investigation\xe2\x80\x99s Questionable Refund Program, which is a nationwide\nSystem              program established to detect and stop fraudulent and fictitious claims for\n                    refunds on income tax returns.\n\nEnterprise          A unifying design or structure for an enterprise that includes business and\nArchitecture        organizational aspects of the enterprise as well as technology aspects.\n                    Enterprise Architecture divides the enterprise into its component parts and\n                    relationships and provides the principles, constraints, and standards to help\n                    align business area development efforts. An Enterprise Architecture ensures\n                    that subordinate architectures and business system components developed\n                    within particular business areas and multiple projects fit together into a\n                    consistent, integrated whole.\n\n\n\n                                                                                           Page 21\n\x0c                  Improvements Are Needed to Ensure Successful Development\n                     and System Integration for the Return Review Program\n\n\n\n\nTerm               Definition\n\nEnterprise Life    A structured business systems development methodology that requires the\nCycle              preparation of specific work products during different phases of the\n                   development process.\n\nExecutive          A committee that oversees investments, including validating major\nSteering           investment business requirements and ensuring that enabling technologies are\nCommittee          defined, developed, and implemented.\n\nFiscal Year        A 12-consecutive-month period ending on the last day of any month.\n                   The Federal Government\xe2\x80\x99s fiscal year begins on October 1 and ends on\n                   September 30.\n\nImpact             A process aimed at structuring and supporting the development of policies.\nAssessment         It identifies and assesses the problem at stake and the objectives pursued.\n\nJava               A set of several computer software products and specifications from\n                   Sun Microsystems (which has since merged with Oracle Corporation) that\n                   together provide a system for developing application software and deploying\n                   it in a cross-platform computing environment.\n\nMaster File        The IRS database that stores various types of taxpayer account information.\n                   This database includes individual, business, and employee plans and exempt\n                   organizations data.\n\nMilestone          Scheduled time for providing a \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a program or\n                   project.\nRed Hat            A Linux-based operating system developed by Red Hat and targeted toward\nEnterprise         the commercial market. Red Hat Enterprise Linux is released in server\nLinux              versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop\n                   versions for x86 and x86-64.\n\nStakeholders       An individual or organization that is materially affected by the outcome of\n                   the system. Examples of project stakeholders include the customer, the user\n                   group, the project manager, the development team, and the testers.\n\n\n\n\n                                                                                        Page 22\n\x0c    Improvements Are Needed to Ensure Successful Development\n       and System Integration for the Return Review Program\n\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 23\n\x0cImprovements Are Needed to Ensure Successful Development\n   and System Integration for the Return Review Program\n\n\n\n\n                                                    Page 24\n\x0cImprovements Are Needed to Ensure Successful Development\n   and System Integration for the Return Review Program\n\n\n\n\n                                                    Page 25\n\x0cImprovements Are Needed to Ensure Successful Development\n   and System Integration for the Return Review Program\n\n\n\n\n                                                    Page 26\n\x0cImprovements Are Needed to Ensure Successful Development\n   and System Integration for the Return Review Program\n\n\n\n\n                                                    Page 27\n\x0c'